From: Matthew Garrett <matthew.garrett@nebula.com> To: David Woodhouse <dwmw2@infradead.org> Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, "linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>, "keescook@chromium.org" <keescook@chromium.org>, "hpa@zytor.com" <hpa@zytor.com> Subject: Re: [PATCH V3 02/11] PCI: Lock down BAR access when module security is enabled Date: Wed, 4 Sep 2013 17:04:46 +0000 [thread overview] Message-ID: <1378314286.13193.5.camel@x230> (raw) In-Reply-To: <1378313861.4210.39.camel@i7.infradead.org> [-- Warning: decoded text below may be mangled, UTF-8 assumed --] [-- Attachment #1: Type: text/plain; charset="utf-8", Size: 1836 bytes --] On Wed, 2013-09-04 at 17:57 +0100, David Woodhouse wrote: > On Tue, 2013-09-03 at 19:50 -0400, Matthew Garrett wrote: > > Any hardware that can potentially generate DMA has to be locked down from > > userspace in order to avoid it being possible for an attacker to modify > > kernel code, allowing them to circumvent disabled module loading or module > > signing. Default to paranoid - in future we can potentially relax this for > > sufficiently IOMMU-isolated devices. > > Can you elaborate on what you mean by "sufficiently IOMMU-isolated", and > what's missing before we can do that? Do we have in-kernel API to guarantee that a given PCI device is actively isolated by an IOMMU such that it can't modify any host kernel pages that aren't explicitly intended to be writable by the device? That seems to be the biggest constraint. > If a given device is protected by an active IOMMU, and if there's no > driver loaded and hence no active DMA mappings for the device in > question, then we ought to be able to prod at it safely, right? It can't > DMA anywhere anyway. How does virt passthrough work in this case? The current situation appears to be that qemu just passes the BARs through to the guest, and it's the guest that sets things up. We'd need to be able to ensure that there's no way the guest driver can cause DMA into the host kernel. > And there are non-DMA considerations too, aren't there? What about just > writing some fun stuff to a memory BAR and then writing to PCI config to > map that BAR to an address that we can get executed by kernel code? Yes, that's why config space is locked down for now. -- Matthew Garrett <matthew.garrett@nebula.com> ÿôèº{.nÇ+·®+%Ëÿ±éݶ\x17¥wÿº{.nÇ+·¥{±þG«éÿ{ayº\x1dÊÚë,j\a¢f£¢·hïêÿêçz_è®\x03(éÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?¨èÚ&£ø§~á¶iOæ¬z·vØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?I¥
WARNING: multiple messages have this Message-ID (diff)
From: Matthew Garrett <matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org> To: David Woodhouse <dwmw2-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> Cc: "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, "linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" <linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, "keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org" <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>, "hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org" <hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org> Subject: Re: [PATCH V3 02/11] PCI: Lock down BAR access when module security is enabled Date: Wed, 4 Sep 2013 17:04:46 +0000 [thread overview] Message-ID: <1378314286.13193.5.camel@x230> (raw) In-Reply-To: <1378313861.4210.39.camel-W2I5cNIroUsVm/YvaOjsyQ@public.gmane.org> On Wed, 2013-09-04 at 17:57 +0100, David Woodhouse wrote: > On Tue, 2013-09-03 at 19:50 -0400, Matthew Garrett wrote: > > Any hardware that can potentially generate DMA has to be locked down from > > userspace in order to avoid it being possible for an attacker to modify > > kernel code, allowing them to circumvent disabled module loading or module > > signing. Default to paranoid - in future we can potentially relax this for > > sufficiently IOMMU-isolated devices. > > Can you elaborate on what you mean by "sufficiently IOMMU-isolated", and > what's missing before we can do that? Do we have in-kernel API to guarantee that a given PCI device is actively isolated by an IOMMU such that it can't modify any host kernel pages that aren't explicitly intended to be writable by the device? That seems to be the biggest constraint. > If a given device is protected by an active IOMMU, and if there's no > driver loaded and hence no active DMA mappings for the device in > question, then we ought to be able to prod at it safely, right? It can't > DMA anywhere anyway. How does virt passthrough work in this case? The current situation appears to be that qemu just passes the BARs through to the guest, and it's the guest that sets things up. We'd need to be able to ensure that there's no way the guest driver can cause DMA into the host kernel. > And there are non-DMA considerations too, aren't there? What about just > writing some fun stuff to a memory BAR and then writing to PCI config to > map that BAR to an address that we can get executed by kernel code? Yes, that's why config space is locked down for now. -- Matthew Garrett <matthew.garrett@nebula.com>
next prev parent reply other threads:[~2013-09-04 17:04 UTC|newest] Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top 2013-09-03 23:50 Matthew Garrett 2013-09-03 23:50 ` (unknown), Matthew Garrett 2013-09-03 23:50 ` [PATCH V3 01/11] Add secure_modules() call Matthew Garrett 2013-09-04 0:45 ` James Morris 2013-09-04 0:45 ` James Morris 2013-09-05 2:14 ` joeyli 2013-09-05 2:14 ` joeyli 2013-09-03 23:50 ` [PATCH V3 02/11] PCI: Lock down BAR access when module security is enabled Matthew Garrett 2013-09-04 0:45 ` James Morris 2013-09-04 0:45 ` James Morris 2013-09-04 16:57 ` David Woodhouse 2013-09-04 16:57 ` David Woodhouse 2013-09-04 17:04 ` Matthew Garrett [this message] 2013-09-04 17:04 ` Matthew Garrett 2013-09-04 18:58 ` David Woodhouse 2013-09-04 19:01 ` Matthew Garrett 2013-09-04 19:01 ` Matthew Garrett 2013-09-04 19:31 ` David Woodhouse 2013-09-04 19:31 ` David Woodhouse 2013-09-03 23:50 ` [PATCH V3 03/11] x86: Lock down IO port " Matthew Garrett 2013-09-04 0:45 ` James Morris 2013-09-05 3:52 ` H. Peter Anvin 2013-09-05 3:52 ` H. Peter Anvin 2013-09-05 3:58 ` Matthew Garrett 2013-09-05 3:58 ` Matthew Garrett 2013-09-05 15:36 ` H. Peter Anvin 2013-09-05 15:36 ` H. Peter Anvin 2013-09-03 23:50 ` [PATCH V3 04/11] ACPI: Limit access to custom_method Matthew Garrett 2013-09-04 0:46 ` James Morris 2013-09-04 0:46 ` James Morris 2013-09-03 23:50 ` [PATCH V3 05/11] asus-wmi: Restrict debugfs interface when module loading is restricted Matthew Garrett 2013-09-04 0:46 ` James Morris 2013-09-04 0:46 ` James Morris 2013-09-03 23:50 ` [PATCH V3 06/11] Restrict /dev/mem and /dev/kmem " Matthew Garrett 2013-09-04 0:47 ` James Morris 2013-09-04 0:47 ` James Morris 2013-09-03 23:50 ` [PATCH V3 07/11] acpi: Ignore acpi_rsdp kernel parameter " Matthew Garrett 2013-09-03 23:50 ` Matthew Garrett 2013-09-03 23:50 ` [PATCH V3 08/11] kexec: Disable at runtime if the kernel enforces module loading restrictions Matthew Garrett 2013-09-04 0:48 ` James Morris 2013-09-04 0:48 ` James Morris 2013-09-04 20:09 ` jerry.hoemann 2013-09-04 20:09 ` jerry.hoemann-VXdhtT5mjnY 2013-09-04 20:12 ` Matthew Garrett 2013-09-04 20:12 ` Matthew Garrett 2013-09-04 20:12 ` Matthew Garrett 2013-09-04 20:14 ` Josh Boyer 2013-09-04 20:14 ` Josh Boyer 2013-09-04 20:14 ` Josh Boyer 2013-09-08 6:40 ` Greg KH 2013-09-08 6:40 ` Greg KH 2013-09-08 6:44 ` Matthew Garrett 2013-09-08 6:44 ` Matthew Garrett 2013-09-08 7:24 ` Greg KH 2013-09-08 7:24 ` Greg KH 2013-09-08 14:40 ` Matthew Garrett 2013-09-08 14:40 ` Matthew Garrett 2013-09-08 15:51 ` Kees Cook 2013-09-08 15:51 ` Kees Cook 2013-09-08 16:18 ` Greg KH 2013-09-08 16:18 ` Greg KH 2013-09-08 16:24 ` Matthew Garrett 2013-09-08 16:24 ` Matthew Garrett 2013-09-08 16:39 ` Greg KH 2013-09-08 16:39 ` Greg KH 2013-09-08 16:59 ` Matthew Garrett 2013-09-08 16:59 ` Matthew Garrett 2013-09-08 17:22 ` Greg KH 2013-09-08 17:22 ` Greg KH 2013-09-08 17:25 ` Matthew Garrett 2013-09-08 17:25 ` Matthew Garrett 2013-09-08 17:11 ` James Bottomley 2013-09-08 17:11 ` James Bottomley 2013-09-08 17:15 ` Matthew Garrett 2013-09-08 17:15 ` Matthew Garrett 2013-09-08 17:22 ` James Bottomley 2013-09-08 17:22 ` James Bottomley 2013-09-08 17:27 ` Matthew Garrett 2013-09-08 17:27 ` Matthew Garrett 2013-09-08 17:32 ` James Bottomley 2013-09-08 17:32 ` James Bottomley 2013-09-08 17:38 ` Matthew Garrett 2013-09-08 17:38 ` Matthew Garrett 2013-09-03 23:50 ` [PATCH V3 09/11] uswsusp: Disable when module loading is restricted Matthew Garrett 2013-09-04 0:48 ` James Morris 2013-09-04 0:48 ` James Morris 2013-09-05 3:20 ` joeyli 2013-09-05 3:20 ` joeyli 2013-09-03 23:50 ` [PATCH V3 10/11] x86: Restrict MSR access " Matthew Garrett 2013-09-04 0:49 ` James Morris 2013-09-04 0:49 ` James Morris 2013-09-03 23:50 ` [PATCH V3 11/11] Add option to automatically enforce module signatures when in Secure Boot mode Matthew Garrett 2013-09-03 23:50 ` Matthew Garrett 2013-09-04 1:42 ` James Morris 2013-09-04 1:42 ` James Morris 2013-09-04 1:42 ` Matthew Garrett 2013-09-04 1:42 ` Matthew Garrett 2013-09-05 3:13 ` joeyli 2013-09-05 8:24 ` joeyli 2013-09-05 8:24 ` joeyli 2013-09-05 10:16 ` Matt Fleming 2013-09-05 10:16 ` Matt Fleming 2013-09-05 12:54 ` Matthew Garrett 2013-09-05 12:54 ` Matthew Garrett 2013-09-04 15:53 ` Kees Cook 2013-09-04 15:53 ` Re: Kees Cook 2013-09-04 16:05 ` Re: Josh Boyer 2013-09-04 16:05 ` Re: Josh Boyer
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1378314286.13193.5.camel@x230 \ --to=matthew.garrett@nebula.com \ --cc=dwmw2@infradead.org \ --cc=hpa@zytor.com \ --cc=keescook@chromium.org \ --cc=linux-efi@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.